Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Google’s Issue Tracker contained until recently a vulnerability that would allow an external party access to any unpatched bug listed and described in the database.

Google’s Issue Tracker, also known internally as the “Buganizer,” contained until recently a vulnerability that would allow an external party access to any unpatched bug listed and described in the database.

Alex Birsan, a software developer and hobbyist bug-hunter, collected more than $15,000 in bounties for finding this bug and two other unrelated flaws in the Issue Tracker. The most critical of the three vulnerabilities allowed him to manipulate a request to the system that would elevate his privileges and provide him access to every detail about a particular vulnerability.

“The [Issue Tracker] system is open to everyone with a Google account. However, the vast majority of the issues hosted on it can only be viewed by Google employees,” Birsan said. “Some of them may only be available to certain teams, too. I found a bug that could have let me view each and every one of them.”

Birsan wrote today in a Medium post that external visitors to the Issue Tracker have limited privileges compared to those inside Google resolving bugs. Birsan said he found a JavaScript method that allows an individual to remove themselves from a CC list—via a POST request— that could be abused to learn the full details of a bug. Birsan said he could have accessed the entire Issue Tracker.

“I don’t know exactly what else was on there, because I kept my behavior ethical during testing,” he said. “I only viewed enough information to confirm I had the extra privileges.”

Birsan said he provided the system a few consecutive tracking numbers to confirm the issue.

“Yes, I could see details about vulnerability reports, along with everything else hosted on the Buganizer,” he wrote, adding that Google’s security team disabled the endpoint he was accessing within an hour. “Even worse, I could exfiltrate data about multiple tickets in a single request, so monitoring all the internal activity in real time probably wouldn’t have triggered any rate limiters.”

Birsan said there would be limitations keeping an attacker with similar access from turning the exposed information into a working exploit.

“It depends entirely on what kind of exploits would have been reported,” Birsan said. “Generally speaking, great technical knowledge and the ability to write post-exploitation scripts quickly help a lot in situations like this, where you have an extremely tight deadline to attack before the bug is fixed.”

Birsan’s disclosure today comes shortly after a similar incident report involving Microsoft’s internal bug-tracking system. A Reuters report published Oct. 17 described a 2013 attack against Microsoft’s system that was corroborated by five former employees.

“Bug trackers used within prominent tech companies can be a hugely lucrative target for attackers looking to improve their 0-day capabilities. Access to a private bug tracker gives the attackers lead time toward crafting an exploit as well as for finding related bugs before the public security community has a chance to do so,” said Craig Young, a security researcher with Tripwire. “A clever attacker might also take advantage of unauthorized bug tracker access to delay patch releases by manipulating data in the tracker. (e.g. Delaying when developers see the report, changing pertinent details so that the bug does not reproduce, or even just closing out tickets as invalid).”

Discussion

There is aunauthorized access to Bug Trackers, but there is also authorized access. As the article is saying, Google employees and certain teams have access to material which is closed to the public. Maybe those people with access should also be better screened. Rogue personnel is not unheard of, and when you think of it - wouldn't have such a position in a company such a Google be ideal for an attacker?

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.